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Probabilistic model checkers like PRISM only check probabilistic systems of a fixed size. To guar- 
antee the desired properties for an arbitrary size, mathematical analysis is necessary. We show for 
two case studies how this can be done in the interactive proof assistant Isabelle/HOL. The first case 
study is a detailed description of how we verified properties of the ZeroConf protocol, a decentral ad- 
dress allocation protocol. The second case study shows the more involved verification of anonymity 
properties of the Crowds protocol, an anonymizing protocol. 

1 Introduction 

The predominant approach to verification of probabilistic systems is model checking and the most 
popular model checker is PRISM ifTTl . Model checking is automatic, but restricted to fixed finite models. 
In this paper we put forward interactive theorem proving as a realistic alternative approach that can deal 
with infinite-state systems on an abstract mathematical level of Markov chains. The specific contributions 
of this paper are two case studies that illustrate our approach: the ZeroConf protocol for decentralized 
address allocation and the anonymizing Crowds protocol. The verifications are carried out in the proof 
assistant Isabelle/HOL ETTl . 

The characteristics of the theorem proving approach are: 

• It can deal with infinite-state systems, although this paper considers only parameterized finite-state 
systems. 

• It is not restricted to some fixed set of concepts but user-extensible. 

• Logical soundness of the system depends only on the soundness of a small fixed and trustworthy 
kernel of the theorem prover. 

• It requires familiarity with a theorem prover and a problem- dependent amount of work for each 
verification. 

In a nutshell, it is mathematics, but checked by a computer. These characteristics indicate that the 
approach is more suitable for a research environment than a product development environment. 

2 Formalization of probability in Isabelle/HOL 

To reason about Markov chains, especially about the probability that a path is in a certain set, requires 
measure and probability theory. This section gives a short introduction into the formalization of the 
theories required by this paper. For a more detailed overview of the measure space formalization see 
Holzl and Heller lITTIl . and for the formalization of Markov chains see Holzl and Nipkow lfT2l . 
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2.1 Isabelle/HOL notation 

Isabelle/HOL largely follows ordinary mathematical notation. With a few exceptions, we follow Is- 
abelle/HOL notation in this paper, to give the reader a better impression of the look-and-feel of the 
work. HOL is based on i-calculus. Hence functions are usually curried (ti — >■ T2 — > T3 rather than 
T\ x T2 — > T3) and function application is written / a rather than f(a). The letters a and /? stand for type 
variables. Type B is the type of boolean values. Type t set is the type of sets with elements of type t. 
Notation t : : r means that t is a term of type t. We regard functions of type N — >■ r as infinite sequences 
of elements of type t. Prepending an element a :: t to a sequence co :: N — >■ t is written a ■ co and means 
M. if i = then a else co (i — 1). The term LEAST n. P n is the least natural number n such that P n holds. 
If there is no such n, then the term has some arbitrary (defined!) value, but we do not know which. 

2.2 Probability space 

In this paper we are only interested in probabilities, hence we write measures as Pr s :: a set — >■ R, where 
s indicates the particular probability measure under consideration. Similarly for the measurable sets we 
write A s a set set and for the entire space we write Q. s :: a set. Here a is an arbitrary type where we 
cut out a space Q. s . This is necessary as in many cases we are only interested in a subset of the entire 
type, e.g. a is the type of natural numbers N and we want to have a distribution on the finite subset 
Q. s = {0, . . . ,N}. We usually drop £2 V and write {a> \ P cd} instead of {d G Q. s \ P cd} and Pr s (<x>. P a>) 
instead of Pr s {cd € Q. s . P co}. 

The measurable sets A s form a tr-algebra, hence they are closed under conjunction, disjunction, 
negation and countably bounded universal and existential quantification. We have the defining properties 
on the probability measure Pr s , as Pr v = 0, Pr^ £l s = 1, it is non-negative: < Pr v A and countably 
additive: For a measurable and disjoint family P :: N — > a — >■ IB 

Pr,(w. 3i. Pito) = (E/Pr^a*. P i to)) . 

For a finite probability space measurable sets need only be closed under finite bounded quantifiers, 
and the probability needs only be finitely additive, instead of countably additive. Unfortunately, the 
path space on Markov chains is neither finite nor discrete, so we need cr-algebras and countably additive 
probability measures. 

We also need conditional probability and define it as usual: 

Pr s (co. Pco\Qco)= Pr s (co. PcoAQ co)/Pr s (co. Q co) . 

The AE-quantifier AE S co. P co on a path measure Pr s states that the property P holds with probabil- 
ity 1. Isabelle/HOL also has a formalization of the Lebesgue integral on probability spaces, as notation 
we use Lf<°dPr s . 

2.3 Markov chains 

We introduce Markov chains as probabilistic automata, i.e. as discrete-time time-homogeneous finite- 
space Markov processes. A Markov chain is defined by its state space S :: a set and an associated 
transition matrix r :: a — > a — > R. We assume no initial distribution or starting state, however when 
measuring paths we always provide a starting state. A path on a Markov chain is a function N — > S , i.e. 
an infinite sequence of states visited in the Markov chain. 
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markov-chain S r = finite S AS + A Ns,s' G S. < t s s 1 ) A ( Vj G 5. ( £ t s s') = 1 



For the rest of this section we assume a Markov chain with state space S and transition matrix r. We 
write E(s) for the set of all successor states, i.e. all s' G S with t 5 s' / 0. Note that a path <d does not 
require that oj (i + 1 ) is a successor of a» i. 

We have defined a probability space (N — > S,A,Pr s ) on the space of all paths N — > S for a starting 
state s G S . The measurable sets are the cr-algebra generated by all sets {oj G N — > S \ oj i = t} where 
i G N and t G S . The measure Pr s (depending on the starting state s G 5 and r) is defined via an infinite 
product and is shown to satisfy the following key property (where s-oj prepends s to a»): 

Va» S,n. Pr v {oj' \ V/ <n.o)'i = co i} = Yli<n T (i 5 ' ^) ( w 

Note that Pr s explicitly carries the starting state and yields the transition probability for the steps s — > T 
0) — > T u> 1 — > T ■ ■ ■ — >- T oj (n — 1). 

We also use Markov reward chains, where we assign a cost or reward to each transitions: 

markov-reward-chain S t p = markov-chain S t A (Vs, s 1 G S. < p s s') 

This approach allows a very easy definition of a Markov chain given as a transition system. Other 
formalizations of Markov chains |fT3l [191 use the probability space N — > B. This requires to provide a 
measurable function X t to, mapping a sequence of boolean choices oj : : N — > B into a state at time t. In 
our approach the set of states S and the transition matrix r are enough. 

Some models require an arbitrary set / of independent variables X ; with distribution For this case 
we provide the product YliPt- We use this product space to construct the path space for our Markov 
chains. Furthermore the probability space N — > B is just a special instance of the generalized product 
space. 

2.3.1 Iterative equations 

The Markov chain induces iterative equations on the probability Pr v , the Lebesgue integral and the AE- 
quantifier, relating properties about s to properties of E(s). These equations are often useful in inductive 
proofs and already give a hint how to prove concrete properties of probabilities and integrals. If A, P, 
and / are measurable and s G S , then the following equations hold: 



AE ,, oj. P oj = Vj' G E(s). AE s ioj. P (s'-oj) 
2.3.2 Reachability 

Let <1> be a subset of S . A state s' is reachable via <1> starting in s iff there is a non-zero probability to 
reach s' by only going through the specific set of states <1>. The starting state s and the final state s f need 




Pr, A = 




not be in <!>. 



reachable $j:={j'sS 3oj G £l,n. (V/ < n. oj i G E{(s-oj) i)) A 

(V/ < n. oj i G <1>) A oj n = s'} 
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Reachability is a purely qualitative property, as it is defined on the graph of non-zero transitions. 

The until-operator introduces a similar concept on paths. Its definition does not assume that a state 
is a successor state of the previous one, as this is already ensured by Pr s . 

until <£> = {cj | 3n. (V/ <n.wie$)Aw«Gf} 

Can we compute Pr s (until <I> *F) using only reachable? It is easy to show that Pr s (until <I> *F) = 
iff (reachable <I> s) n*F = 0. But is there also a way to characterize Pr s (until <I> *P) = 1 in terms of 
reachable? 

2.3.3 Fairness 

To show that reachable can be used to guarantee that states are reached with probability 1, we need state 
fairness. A path u> is state fair w.r.t. s and t if s appears only finitely often provided that t also appears 
only finitely often as the successor of s in to. The definition and proofs about state fairness are based on 
the thesis by Baier 151 . 

fair s t = {o> \ finite {n \ (o n = s A a) (n + 1) = t} ==>• finite {n \ od n = s} } 

We show that almost every path is state fair for each state and its successors. 

\fs,s' eSj G E(s'). AE s co. s-oj G fairs' t' 

Using this we prove that starting in a state s almost every path fulfills until <I> *P if (1) all states 
reachable via <I> are in <1> or *P and (2) each state reachable from s has the possibility to reach *P. This 
theorem allows us to prove that until <t> *P holds almost everywhere by a reachability analysis on the 
graph: 

je$A$CS A reachable (<I>\*P) s C <£U»F A 
Vf G [reachable (<£ \ »P) s U {s}) \ reachable (<D \ f n ¥ ^ 
AE s to. s-oj G until <I> *P 

2.3.4 Hitting time 

The hitting time on a path o> is the first index at which a state from a set <I> occurs: 

hitting-time <t> o> = LEAST i. wie$ 

Note that if there is no i such that then hitting-time <I> a» is some arbitrary, underspecified natural 

number. For the computation of rewards it is important to know if the expected hitting time is finite. We 
show that the expected hitting time of <I> for paths starting in s is finite if almost every path starting in s 
reaches <!>. If s is in S and AE s co. s-to G until S <t> then 




CO 



For Markov reward chains we are interested in the transition costs until a set of states occurs: 



cost-until <I> a) = if 3/. iui£$ then Y,i<ming-time <& o>P ( w ( w (' + 1)) e ' se 00 
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3 Case study: The ZeroConf protocol 

Ad-hoc networks usually do not have a central address authority assigning addresses to new nodes in the 
network. An example are consumer networks where users want to connect their laptops to exchange data 
or attach a network capable printer. When connecting with WiFi these devices use IPv4 and hence need 
IPv4 addresses to communicate with each other. 

The ZeroConf protocol ||6] is a distributed network protocol which allows new hosts in the network 
to allocate an unused link-local IPv4 address. A link-local address is only valid in the local network, e.g. 
a WiFi network. We assume point-to-point communication in our local network, and hence communi- 
cate directly with each host identified by a valid address. The problem with IPv4 addresses is that they 
are limited, i.e. they are represented by 32-bit numbers, and for the local network the addresses from 
169.254.1.0 to 169.254.254.255 are available, hence we can chose from 65024 distinct addresses. Zero- 
Conf works by randomly selecting an address from this pool and then probing if the address is already 
in use. 

Bohnenkamp et al. give a formal analysis of the probability that an address collision happens, i.e. 
two hosts end up with the same address. They also analyse the expected run time until a (not necessaryly 
valid) address is chosen. As our first case study we formalize their analysis in Isabelle/HOL. 

Andova et al. [1J present a model-checking approach for discrete-time Markov reward chains and 
apply it to the ZeroConf protocol as a case study. They support multiple reward structures and can 
compute the probability based on multiple constraints on these reward structures. Kwiatkowska et al. lfl8l 
have modelled this protocol as a probabilistic timed automata in PRISM. Both models include more 
features of the actual protocol than the model by Bohnenkamp et al. Q that we follow. 

3.1 Description of address allocation 

We give a short description of the model used in Bohnenkamp et al. Q. The address allocation in 
ZeroConf uses ARP (address resolution protocol) to detect if an address is in use or not. An ARP request 
is sent to detect if a specific IPv4 address is already in use. When a host has the requested IPv4 address 
it answers with an ARP response. ZeroConf allocates a new address as follows: 

1. Select uniformly a random address in the range 169.254.1.0 to 169.254.254.255. 

2. Send an ARP request to detect if the address is already in use. 

3. When a host responds to the ARP request, the address is already taken and we need to start again 
(go back to 1). 

4. When no response arrives before a time limit r, we again send an ARP request. This is repeated N 
times. 

5. When no response arrived for N requests we assume our address is not in use and are finished. 

This probabilistic process depends on two parameters: (1) The probability q that the random chosen 
address is already taken; this probability depends on the number of hosts in the network and the number 
of available addresses. (2) The probability p that either the ARP request or response is lost. 

The Markov chain shown in Fig. Q] describes the address allocation from a global viewpoint. At Start 
a new host is added to the network, it chooses an address and sends the first ARP request. There are two 
alternatives. 
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l-q;r-(N+l) 





;0 



Figure 1: Markov chain of the ZeroConf protocol. The labels are annotated with P,T: the probability P 
to take this edge and the elapsed time T. 

• With probability 1 — q the host chooses an unused address, the allocation is finished, the Markov 
chain directly goes to Ok. Of course, the host does not know this, and still sends out N +1 ARP 
probes. Hence we associate the time cost r ■ [N + 1) with this transition. 

• With probability q the host chooses a used address and goes to the probing phase: In the Probe n 
state it sends an ARP request and waits until r time units have passed, or until it receives an ARP 
response from the address owner. With probability 1 — p the host receives an ARP response and 
needs to choose a new address — we go back to Start. With probability p this exchange fails and 
we go to the next probe phase. After ./V + 1 probes, the host assumes the chosen address is free. As 
two hosts in the network end up with the same address we reached the Error state. The time cost 
E models the cost to repair the double allocation. This might involve restarting a laptop. 

3.2 Formal model of ZeroConf address allocation 

The Isabelle/HOL model of the ZeroConf protocol describes the Markov chain in Fig. Q] We set up a 
context containing the probe numbers (starting with 0), the probabilities p and q, and the costs r and E: 

fixes N :: N and p qr E :: M 

assumes < p and p < 1 and < q and q < 1 

assumes < E and < r 

In the following sections we assume that these fixed variables N, p, q, r, and E fulfill the above assump- 
tions of the ZeroConf protocol. 

To represent the states in the Markov chain we introduce a new datatype: 

datatype zc-state = Start \ Probe N | Ok \ Error 

We have the type zc-state with the distinct objects Start, Ok, Error, and Probe n for all n :: N. The valid 
states S :: zc-state set are a restriction of this to only valid probe numbers. This also gives us a finite 
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number of states. 

S = {Start, Ok,Error} U {Probe n\n <N} 

The final modeling step is to define the transition matrix r : : zc-state — >■ zc-state — > M. and the cost function 
p :: zc-state — > zc-state — > R. Both are defined by a case distinction on the current state and return the 
zero function which is updated at the states with non-zero transition probability or cost. 

tj = case s of Start 0(Probe := q, Ok:=\ — q) 

| Probe n => if n < N then 0(Probe (n+ 1) := p, Start := 1 - p) 
else 0(Error := p, Start :=1— p) 
Ok 0(Ok := 1) 

| Error 0(Error := 1) 

ps = case s of Start => 0(Probe := r,0ic := r* (N+ 1)) 

| Probe n^>\\n <N then 0(Probe (« + 1) := r) else 0(.Error := E) 
\Ok ^0 
| Error 

We need to prove that we actually defined a Markov chain: as a consequence, Isabelle/HOL is able to 
provide the probabilities Pr 4 A for each state s and path set A. For this we show that t is a valid transition 
matrix for a Markov chain on S , and p is a valid cost function: 

theorem t-DTMC: markov -reward-chain S t p 

To prove this we need to show that r and p are non-negative for all states in S . And finally we need to 
show that t s is a distribution for all s in S , which is easy to show by using the helper lemma S -split: 

lemmaS -split: s = f Start + f Ok + f Error + £ / {Probe n) 

seS n<N 

3.3 Probability of an erroneous allocation 

The correctness property we want to verify is that no collision happens, i.e. we want to compute the 
probability that a protocol run ends in the Error state. The goal of this section is not only to show what 
we proved, but to show how we proved it. Most of the proofs are automatic by rewriting and we do 
not show the details. But we want to show the necessary lemmas and theorems needed to convince 
Isabelle/HOL. 

We define P err :: zc-state — > R to reason about the probability that a trace co ends in the Error state 
when we started in a state s: 

P en s = Pr s (o>. s-to € until S {Error}) 

Our final theorem will be to characterize P eiT Start only in terms of the system parameters p, q and N. 

The first obvious result is that when we are already in Error, we will stay in Error, and when we are 
in Ok we will never reach Error: 

lemma P err -error: P err Error = 1 
lemma P err -ok: P err Ok = 
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Pen-error is proved by rewriting: Error -co € until S {Error} is always true. The Ok case is proved by 
reachable (S \ {Error}) Ok C {Ok}. Together with lemma S -split and these two lemmas we provide an 
iterative lemma for P err : 

lemma P err -iter: 

s € S => P err s = r s Start * P err Start + t s Error + Y. n <N T s {Probe n) * P err (Probe n) 

However this is a bad rewrite theorem, using it would result in non-termination of the rewrite engine. To 
avoid this we derive rules for specific states: 

lemma P err -last-probe: P en (Probe N) = p + (\— p)* P err Start 
lemma ,P en -start-iter: P err Start = q * P err (Probe 0) 

Our next step is to compute the probability to reach Error when we are in Probe n. This is the only 
proof which is not done by a simple rewrite step, but it requires induction and two separate rewrite steps. 
The induction is done over the number n of steps until we are in Error. To give the reader a better feeling 
for what these proofs look like, here is the skeleton of the Isabelle proof: 

lemma P en .-probe-iter: n<N =>• P err (Probe (N-n))= p n+l + (1 - p n+1 ) * P err Start 
proof (induct n) 
case (n + 1) 

have P en (Probe (N-(n + l))) = p* (p n+l + (1 - p n+1 ) *P err Start) + (1 - p) *P err Start 
<proof> 

also have • • • = + (1 *p m Start 

<proof> 

finally show P err (Probe (N—(n + 1))) = + (1 */> OT Start . 

qed simp - The 0-case is a simple rewriting step with .P err -last-probe. 

Together with P err -start-iter we prove our final theorem: 

theorem Pen-start: P err Start = (q * p N+l )/(\ - q* (\ - p N+l )) 

With typical parameters for the ZeroConf protocol (16 hosts (q = 16/65024), 3 probe runs (N = 2) 
and a probability of p = 0.01 to lose ARP packets) we compute (by rewriting) in Isabelle/HOL that the 
probability to reach Error is below 1/10 13 : 

theorem P err Start < 1/10 13 
3.4 Expected running time of an allocation run 

Users are not only interested in a very low error probability but also in fast allocation time for network 
address. Obviously there are runs which may take very long, but the probability for these runs are near 
zero. So we want to verify that the average running time of an allocation run is in the time range of 
milliseconds. 

The running time of an allocation run Cg D :: S — >■ M is modelled as the integral over the sum of all 
costs p for each step in each run. The sum of all steps until either Ok or Error is reached is simply 
cost-until: 



Can s = / cost-until {Error, Ok} (s ■ o>) dPr s 

Jo) 
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Figure 2: The established route J\ — J4 — J2 — Ji — J a — C\ — S 



In order to evaluate the integral we first show that it is finite. This is the case if cost-until {Error, Ok} is 
finite almost everywhere. So we first show that almost every path reaches {Error, Ok}: 



Using this we show an elementary form of Cg n in a similar way to P err : 

lemma C/j„-start: Cg n Start = 

{q*(r + p N+l *E + r*p*{\-p N )/(l-p)) + {l-q)*{r*N+\))/{\-q + q*p N+[ ) 

With typical values (16 hosts, 3 probe runs, a probability of p = 0.01 to lose ARP packets, 2 ms for 
an ARP round-trip (r = 0.002) and an error penalty of one hour (E = 3600)) we compute in Isabelle/HOL 
that the average time to terminate is less or equal 0.007 s: 

theorem C 6n Start < 0.007 

4 Case study: The Crowds protocol 

The Crowds protocol described by Reiter and Rubin [22 1 is an anonymizing protocol. The goal is to 
allow users to connect to servers anonymously. Neither the final server should know which user connects 
to it, nor attackers collaborating in the network. The Crowds protocol establishes an anonymizing route 
through a so called mix network: Each user (Reiter and Rubin name them jondo pronounced "John 
Doe") is itself participating in the mix network. When a jondo establishes a route, it first connects to 
another random jondo which then decides based on a coin flip weighted with p f if it should connect to 
the final server, or go through a further jondo, and so on. Figure [2] shows an established route through 
the jondos J\ — J4 — J2 — Ji — J a — C\ — S . There is no global information about a route available to the 
participating jondos. For each connection a jondo only knows its immediate neighbours, but no other 
previous or following jondo, so it may happen that a route is going through a loop, as seen in Fig. |2] 

First, Reiter and Rubin [22 1 show that the server has no chance to guess the original sender. In 
a second step they assume that some jondos collaborate to guess the jondo initiating the route. They 
analyse the probability that a collaborating node is the successor of the initiating jondo. This analysis is 
affected by the fact that the route may go through the initiating jondo multiple times. An analysis of the 
Crowds protocol in PRISM, for specific sizes, has been conducted by Shmatikov ll23l . 

Similar to the ZeroConf case, we only analyse the Markov chain having a global view on the protocol. 
We could model the individual behaviour of jondos in Isabelle/HOL and show that this induces our 
Markov chain model, but this is not in the scope of this paper. 



lemma AE-term: 
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Figure 3: Example Markov chain of the small Crowds network {Ji,J2,Jj} 
4.1 Formalization of route establishment in the Crowds protocol 

We concentrate on the probabilistic aspects of route establishment in the Crowds protocol. We assume a 
set jondos of an arbitrary type a (which is just used to uniquely identify jondos), and a strict subset colls, 
the collaborating attackers. A jondo decides with probability pf if it chooses another jondo as next step, 
or if it connects directly to the server. The distribution of the initiating jondos is given by ink. Naturally 
the initiating jondo is not a collaborating jondo. In Isabelle this is expressed as the following context: 

fixes jondos colls :: a set and pf :: R and init :: a — > R 
assumes < pj and pf < 1 

assumes jondos ^ and colls ^ and finite jondos and colls C jondos 
assumes Vj € jondos. < init j and Vj G colls, init j = and Y,jejondos J/3Jt J = 1 

The Markov chain has four different phases: start, the initial node, and the mixing phase, and finally 
the end phase where the server is contacted. See Fig. |3]for a small example. Our formalization of Markov 
chains requires a single start node, otherwise we could choose init as initial distribution. The type of the 
state a estate depends on the type of the jondos a. 

datatype a estate = Start | Init a | Mix a | End 

Similar to the ZeroConf protocol not all possible values of estate are necessary. We restrict them further 
by only allowing non-collaborating jondos as initial jondos, and only elements from jondos participate 
in the mixing phase. With this definition it is easy to show that the set of states S :: a estate set is finite. 

S = {Start} U {Init jondos \ colls} U {Mix jondos} U {End} 

Often we are interested in the jondo referenced by the current state. We introduce jondo-of :: 
a estate — > a returning the jondo if we are in an initial or mixing state: 

jondo-of s = case s of Init j => j \ Mix j j 



J. Holzl, T. Nipkow 



27 




Figure 4: The established route Ji — J4 — J3 — J5 — J4 — C\ — S 



The transition matrix r :: a estate — > a estate — > E is defined by a case distinction on all possible 
transitions. The probability for steps from Start are given by the distribution of the initiating jondos ink. 
The first routing jondo is arbitrarily chosen, and the probability of going from a mixing state to a mixing 
state is the product of pf to stay in the mixing phase and the probability 1/7 for the next jondo. With 
probability l—p/ the mixing state is finished and than the Markov chain stays in End. Figure |4] shows 
an example path through the different phases. 



/= \jondos\ 

H= [jondos \ colls\ 

t s t = case (s,t) of (Start, 



(Initj, 
(Mix j, 
(Mix j, 
(End, 



Initj) 
Mix f) 
Mix /) 
End) 
End) 



initj 

l/J 

PfU 

1-Pf 

1 





This completes the definition of the Markov chain describing the route establishment in the Crowds 
protocol. Finally we show that S and r describe a discrete-time Markov chain: 



theorem markov-chain S r 



4.2 The jondo contacting the server is independent from the initiating jondo 

We define a number of path properties of our Markov chain. The functions len :: (N — > a estate) — > N, 
first-jondo :: (N — > a estate) — > a and last-jondo :: (N — > a estate) — > a operate on paths not containing 
the Start element, len returns the length of the mixing phase, i.e. how many Mix states are in the path 
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until End is reached, first-jondo is the initiating jondo, and last-jondo is the jondo contacting the server. 

len co = (LEAST n.con = End) — 2 
first-jondo co = jondo-of (co 0) 
last-jondo co = jondo-of (co (len co+ 1)) 

The path functions len, first-jondo and last-jondo are well defined on almost every path. The paths 
in our Markov chain do not contain the Start element, so the paths start with an Ink state. Hence for 
almost every path we know that the first element is an initiating state, then for the next len elements we 
have mixing states, and finally a tail of End states: 

lemma AE Start co. co G N — > S 

lemma AEs tart to. 3 / G jondos \ colls. co0 = Ink j 

lemma AE Start co. Vi < len co.3j G jondos. to (i + 1) = Mix j 

lemma AE Start o>. Vi > ien o>. a» (i + 1) = End 

With this we can easily show that the jondo contacting the server is independent from the initiating jondo: 

lemma 

assumes / G jondos and i G jondos \ colls 
shows Pr(a>. first-jondo co = i A last-ncoll co = 1) = 

Pr(a>. first-jondo co = i)* Pr(co. last-ncoll co = l) 

4.3 Probability that initiating jondo contacts a collaborator 

The attacker model assumes that the collaborators want to detect the initiator of a route. This is obviously 
only possible if one of the collaborators is chosen as one of the mixing jondos. We have two goals: (1) If 
the numbers of collaborators is small, the probability to contact a collaborator should be near zero. (2) We 
want to analyse the probability that the initiating jondo directly contacts a collaborator. When we know 
the ratio of collaborators to jondos, how can we adjust pf, so that this probability is less or equal to 1 /2? 

The random variable hit-colls :: (N — > a estate) — >■ B is true if a collaborator participates in the 
mixing phase, first-coll :: (N — > a estate) — > N is the mixing phase in which the collaborator is hit, 
and last-ncoll :: (N — s> a estate) — > a is the last non-collaborating jondo, i.e. the jondo contacting a 
collaborator. 

hit-colls co = 3n, j G colls, con = Mix j 

first-coll co = (LEAST n. 3j G colls. con = Mix j) — 1 

last-ncoll co = jondo-of (co (first-coll co)) 

The property we want to check only makes sense if a collaborator participates in the mixing phase. 
So we first prove the probability to hit a collaborator: 

lemma Pr Start (w. hit-colls co) = (1 —H/J)/(\ —H/J* p/) 

We already see that the probability to hit a collaborator goes to if the number of collaborators and pf 
stay constant and / — > oo. Then H/J — > 1 and hence Prs ta rt(<^- hit-colls co) — > 0. Thus our first goal 
is satisfied. 
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Additionally, we want to control the probability that the initiating jondo hits a collaborator. For 
this, we compute the probability to have a fixed first and last non-collaborating jondo before we hit a 
collaborator: 

lemma P-hrst-jondo-last-ncoll : 

assumes / e jondos \ colls and i G jondos \ colls 
shows Pr(a». Brst-jondo co = i A last-ncoll co = I \ hit-colls co) = 
init i* (pf/J+ (if i = I then 1 — H/J* pf else 0)) 

Note that the conditional probability does not divide by because P?start{oo- hit-colls co) ^ by the 
previous lemma. By summing up over all possible non-collaborating jondos we show the probability 
that the last non-collaborating jondo is the initiating jondo: 

theorem Prstart(oo- hrst-jondo co = last-ncoll co \ hit-colls co) = 1 — (H — 1 )//*/?/ 

With this we can now enforce that the probability that the initiating jondo hits a collaborator is less or 
equal to ^: 

lemma H > 1 A 7/(2 * (H - 1)) < p f => 
P*stmi(oo- hrst-jondo co = last-ncoll co \ hit-colls co) < \ 

Reiter and Rubin E2l call this probably innocent. Because pf < 1 this is only possible if 1 /2 < (H — 1 ) //, 
i.e. more than half of the jondos are non-collaborating. This meets our second goal. 

4.4 Information gained by the collaborators 

Obviously, in Isabelle/HOL we are not only restricted to state probabilities or expectations. For example, 
for quantitative information flow analysis, similar to the analysis by Malacaria [20], we are interested 
in the mutual information Z S (X;Y) between two random variables X and Y. The mutual information is 
formalized in Isabelle/HOL using the Radon-Nikodym derivative. However, we know that if X and Y are 
simple functions, i.e. functions with a finite range, then I S (X; Y) can be computed in the known discrete 
way: 

lemma simple-function s X simple- function s Y 

X S (X; Y) = Z(x,y)e{(Xxjx)\x.xeQ.} -Pr.v(a». X co = x AY oo = y)* 

log 2 (Pr,(w. X co = xAY co = y)/(Pr s (co. Xco = x)* Vr s (co. Y co = y))) 

We are only interested in runs which hit a collaborator. To use mutual information with this restriction 
we introduce the conditional probability Pr/, Jt . co j/ s , with the condition that each run hits a collaborator. Its 
characteristic property (we omit the technical definition) is 

lemma measurable s P =^ Pvhit-coiis{oJ- P co) = Prs tart (w. P co \ hit-colls co) 

With this property and lemma P-hrst-jondo -last-ncoll we can now show an upper bound for the infor- 
mation flow: 

theorem Zhi t . co u s (first-jondo;last-ncoll) < (1 — (H — l)/J* p/) *\og 2 H 

This supports the intuitive understanding that the information the attackers can gain is restricted by the 
probability that the initiating jondo is the jondo directly contacting a collaborator. 
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5 Related Work 

There is already some work to verify parametric probabilistic models. Hermanns et al. iflOl implement 
a probabilistic variant of counterexample-guided abstraction refinement (CEGAR). They handle infinite 
state spaces by breaking them up into finite partitions. Hahn et al. [8] allows parametric transition 
probabilities. The number of states is still fixed, but the transition probabilities are rational functions over 
parameter variables. Katoen et al. |[T6l present a method to generate and use quantitative invariants for 
linear probabilistic programs. Their motivation is to use these invariants to augment interactive proofs. 

Now we survey other work that models probabilistic systems in an interactive theorem prover. 

We build directly on the formalization of Markov chain theory developed for our verification of pCTL 
model checking Ifl2l . which builds on a formalization of measure theory Hill . Ultimately, all of the work 
cited in this section builds on the work of Hurd (see below). However, instead of Hurd's probability 
space N — > B we have a probability space on arbitrary functions. This allows for a natural formalization 
of Markov chains over arbitrary state spaces and needs no encoding into booleans. 

The formalization of probability theory in HOL starts with Hurd's thesis lfT3l . He introduces mea- 
sure theory, proves Caratheodory's theorem about the existence of measure spaces and uses it to in- 
troduce a probability space on infinite boolean sequences. He defines concrete random variables with 
Bernoulli or uniform distribution. Using this work he also analyses a symmetric simple random walk. 
Hasan et al. [9] formalize the analysis of continuous random variables on Hurd's probability space. How- 
ever, their work is quite different from ours in that they do not employ Markov chains. Based on Hurd's 
work, Liu et al. |[T9l define when a stochastic process is a Markov chain. Their theory does not provide 
everything we need: it is restricted to stochastic processes on Hurd's probability space N — > B and does 
not construct the path space of Markov chains defined by transition probabilities. Coble [7 1 formalizes 
information theory on finite probability spaces. He applies it to a quantitative information flow analysis 
of the Dining Cryptographers protocol. Hurd et al. lTT4l in HOL4 and Audebaud and Paulin-Mohring JH 
in Coq formalize semantics of probabilistic programs. Both reason about the probability of program 
termination and only allow discrete distributions for the result values. 

6 Conclusion 

The formalizations are available in the Archive of Formal Proofs [151. For the ZeroConf protocol the 
formalization was done in a couple of days and required approx. 260 lines of Isabelle/HOL theory. The 
Crowds protocol requires approx. 1060 lines of Isabelle/HOL theory and it took one person a couple of 
weeks to verify. The time necessary for the verification includes finding an estimation for the information 
gained when a collaborator is hit. The probabilities we verified for the ZeroConf protocol and the Crowds 
protocol are expressible as PCTL formulas. However this is not a restriction of Isabelle/HOL. We can 
express <x>-regular properties or multiple reward structures easily in higher-order logic. 

Our future goals include more powerful models like Markov decision processes and continuous-time 
models but also the certification of probabilistic model checker runs in Isabelle/HOL. 

Acknowledgment 

We thank Sergio Giro for reading and commenting on a draft of this paper. We also thank the anonymous 
reviewers for the references on parametric probabilistic model checking. 



J. Holzl, T. Nipkow 



31 



References 

[1] S. Andova, H. Hermanns & J. -P. Katoen (2003): Discrete-time rewards model-checked. In K. G. Larsen & 
P. Niebert, editors: FORMATS, LNCS 2791, pp. 88-104, doi jl0.1007/978-3-540-40903-8_8| 

[2] P. Audebaud & C. Paulin-Mohring (2009): Proofs of randomized algorithms in Coq. Science of Computer 
Programming 74(8), pp. 568-589, doi jl0.1016/j.scico.2007.09T002| 

[3] C. Baier (1998): On the Algorithmic Verification of Probabilistic Systems. Habilitation, U. Mannheim. 

[4] C. Baier & J. -P. Katoen (2008): Principles of Model Checking. The MIT Press, Cambridge, Massachusetts. 

[5] H. Bohnenkamp, P. van der Stok, H. Hermanns & F. Vaandrager (2003): Cost-Optimisation of the IPv4 
Zeroconf Protocol. In: DSN'03, IEEE CS Press, pp. 531-540, do H10.1109/DSN.2003.1209963l 

[6] S. Cheshire, B. Aboba & E. Guttman (2005): Dynamic Configuration of IPv4 Link-Local Addresses. RFC 
3927 (Proposed Standard). Available at |http : //www . ietf . org/rf c/rf c3927 . txt| 

[7 ] A. R. Coble (2009): Anonymity, Information, and Machine-Assisted Proof. Ph.D. thesis, U. of Cambridge. 

[8] E. M. Hahn, H. Hermanns & L. Zhang (201 1): Probabilistic reachability for parametric Markov models. Int. 
J. on Software Tools for Technology Transfer (STTT) 13(1), pp. 3-19, doi: 10.1007/sl0009-010-0146-xl 

[9] O. Hasan, N. Abbasi, B. Akbarpour, S. Tahar & R. Akbarpour (2009): Formal Reasoning about Expectation 
Properties for Continuous Random Variables. In A. Cavalcanti & D. Dams, editors: Formal Methods (FM 
2009), LNCS 5850, pp. 435-450, doi U0.1007/978-3-642-05089-3_28| 

[10] H. Hermanns, B. Wachter & L. Zhang (2008): Probabilistic CEGAR. In A. Gupta & S. Malik, editors: 
Computer Aided Verification (CAV 2008), LNCS 5123, pp. 162-175, doi |10.1007/978-3-540-70545-l_16[ 

[11] J. Holzl & A. Heller (2011): Three Chapters of Measure Theory in Isabelle/HOL. In M. C. J. D. 
van Eekelen, H. Geuvers, J. Schmaltz & F. Wiedijk, editors: ITP 2011, LNCS 6898, pp. 135-151, 
doi ]10.1007/978-3-642-22863-6_12| 

[12] J. Holzl & T. Nipkow (2012): Verifying pCTL Model Checking. In C. Flanagan & B. Konig, editors: TACAS 
2012, LNCS 7214, pp. 347-361, doi jl0.1007/978-3-642-28756-5_24| 

[13] J. Hurd (2002): Formal Verification of Probabilistic Algorithms. Ph.D. thesis, U. of Cambridge. 

[14] J. Hurd, A. Mclver & C. Morgan (2005): Probabilistic Guarded Commands Mechanized in HOL. Theoretical 
Computer Science 346(1), pp. 96-1 12, doi |10.1016/j.tcs.2005.08.005] 

[15] J. Holzl & T. Nipkow (2012): Markov Models. The Archive of Formal Proofs. 

http : //af p . sf . net/entries/Markov_Models . shtml, Formal proof development. 

[16] J. -P. Katoen, A. Mclver, L. Meinicke & C. C. Morgan (2010): Linear-Invariant Generation for Probabilistic 
Programs: - Automated Support for Proof-Based Methods. In R. Cousot & M. Mattel, editors: Static Analysis 
(SAS 2010), LNCS 6337, pp. 390-406, doi U0.1007/978-3-642-15769-l_24| 

[17] M. Kwiatkowska, G. Norman & D. Parker (2011): PRISM 4.0: Verification of Probabilistic Real-time Sys- 
tems. LNCS 6806, doi ] 10. 1007/978-3-642-221 10- 1_47[ 

[18] M. Kwiatkowska, G. Norman, D. Parker & J. Sproston (2006): Performance Analysis of Probabilistic Timed 
Automata using Digital Clocks. FM in System Design 29, pp. 33-78, doi ]10.1007/sl0703-006-0005-2l 

[19] L. Liu, O. Hasan & S. Tahar (201 1): Formalization of Finite-State Discrete-Time Markov Chains in HOL. In 
T. Bultan & P.-A. Hsiung, editors: ATVA 2011, LNCS 6996, pp. 90-104, doi jl0.1007/978-3-642-24372-l_8| 

[20] P. Malacaria (2007): Assessing Security Threats of Looping Constructs. In: ACM SIGPLAN Symposium on 
Principles of Programming Languages (POPU07), pp. 225-235, doi jlO.l 145/1 190215.11902511 

[21] T. Nipkow, L. C. Paulson & M. Wenzel (2002): Isabelle/HOL: A Proof Assistant for Higher-Order Logic. 
LNCS 2283, Springer, doi ilO. 1007/3-540-45949-91 

[22] M. Reiter & A. Rubin (1998): Crowds: Anonymity for web transactions. ACM Transactions on Information 
and System Security (TISSEC) 1(1), pp. 66-92, doi ]10.1145/290163.290168l 

[23] V. Shmatikov (2004): Probabilistic analysis of an anonymity system. J. ofComp. Sec. 12, pp. 355-377. 



